< Home

Example for Configuring Port Security

Networking Requirements

In Figure 1, PC1, PC2, and PC3 connect to the company network through the switch. For access security purpose, port security is enabled on the interface of the switch. In addition, the maximum number of MAC addresses to be learned on the interface is set to the number of access users. This ensures that external users cannot use their PCs to access the company network.

Figure 1 Networking for configuring port security

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN to implement Layer 2 forwarding.

  2. Configure port security so that learned MAC address entries are not aged out.

Procedure

  1. Create a VLAN on the switch and add interfaces to the VLAN.

    # Create a VLAN.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit

    # Add GE0/0/1 to VLAN 10. The configurations of GE0/0/2 and GE0/0/3 are similar to the configuration of GE0/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit

  2. Configure port security on GE0/0/1.

    # Enable the sticky MAC address function and set the maximum number of MAC addresses. The configurations of GE0/0/2 and GE0/0/3 are similar to the configuration of GE0/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port-security enable
[Switch-GigabitEthernet0/0/1] port-security mac-address sticky
[Switch-GigabitEthernet0/0/1] port-security max-mac-num 1

  3. Verify the configuration.

    If PC1, PC2, and PC3 are replaced by other PCs, the new PCs cannot access the company network.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet0/0/1
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet0/0/2
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet0/0/3
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
return
Parent Topic: Port Security Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic